Tuesday, November 30, 2010

1) OWASP Conference PassOWASP graciously stepped up with a free conference pass (several hundred dollar value) and access to a training session (pending availability - $1,000+ value). Of course you’ll still have to pay for air and hotel, but taking a couple of hundred bucks off the top for the trip certainly helps out. There are three OWASP Global AppSec Events on the schedule for 2011 -- Dublin, Minneapolis, and Lisbon. Take your pick, they’ll all be really good!

2) Autographed Collection of Web Security BooksThis year I also wanted to award something really different -- something uniquely cool. Then I thought, what about a collection of Web security books autographed by their respective authors? That'd be pretty kick ass! So I made a big list of books published in the last couple of years and asked for a signed book donation from the authors. Guess what happened!? Within 24 hours I heard back for essentially everyone saying that they’d be delighted to support (see below). Woot! These guys rock.

3) BlackHat USA 2011 Conference PassBlackHat, a long time Top Ten sponsor, is donating a BlackHat USA 2011 conference pass ($1,395 value)! You'll of course have to get yourself to Las Vegas and find a place to stay, but you'll get to attend one of the best conference in the industry. Not to mention that kickass parties take place all during the event and the option to attend Defcon. Way cool.

I’m waiting on some other awards to come through the pipe and figure out the best way to allocate them. Stay tuned!

Monday, November 29, 2010

Each year the web security community produces a stunning amount of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, web browsers, web proxies, and so on. We are NOT talking about individual vulnerabilities with CVE numbers, nor any particular system compromise, but the actual new methods of Web-based attack. To keep track of all these discoveries and encourage information sharing, the Top Web Hacking Techniques acts as both a centralized knowledge base and a way to recognize researchers who contribute excellent work.

The selection process for 2010 will be a little different. Last year in 2009, where over 80 new attack techniques were recorded, the winners were selected solely by a panel of panel of distinguished security experts. This year we'd like you, the Web security community, to have the opportunity to vote for your favorite research. From the voting results the most popular 15 entries will be those judged by our panel of experts on the basis of novelty, impact, and overall pervasiveness to decide the Top Ten Web Hacking Techniques of 2010. Researchers topping the 2010 list may expect to receive praise amongst their peers as have those in past years (2006, 2007, 2008, and 2009). Right now I’m working on a really cool set of prizes for #1.

Then at IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.

To make all this happen we are going to need a lot of help from the community. At the bottom of this post will be the living master list of everything recorded. If anything is missing please comment containing the link to the research. Or maybe you think something should not be on the list. That's cool, but please explain why. While clearly not every technique is as powerful as another, please make every effort to include them anyway. Nothing should be considered too insignificant. Sometimes several issues can be combined for amazingly effective techniques.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!